Thursday, October 25, 2012

Though it doesn't seem to work yet, you can go here and get your key for Windows Media Center for Windows 8 Pro. I'm guessing it will go active tomorrow. I love WMC, and I'm guessing this will be Microsoft's last release of it; it seems they've chosen the Xbox as the go-forward media platform. Here's hoping some third parties can replicate the SmartGlass functionality for other devices with different software. :) Thanks for the heads up @GaborFari via @danielauger.

Thursday, October 18, 2012

As I posted earlier, server 2012 includes a new version of WSUS. There are a few gotchas associated with WSUS and Server 2012/Windows 8, especially as it pertains to using a previous version of WSUS. Here are some key points:

Windows 8 and Server 2012 "clients" will NOT work with WSUS 3.0 SP2 or any version that isn't shipped with 2012 unless this update is installed BEFORE any clients connect to it.

If your Win8/2012 clients attempted to talk to an older WSUS server before patching or upgrading, you will need to perform the following before they will update again:

Net stop wuauserv

rd /s %windir%\softwaredistribution\

Net start wuauserv

If your new WSUS 2012 server is downstream from an older WSUS server, it will have the same effect as if your clients were pulling directly from that older server. All WSUS servers between the clients and MSFT need to be newer or patched.

According to Microsoft, updates canNOT be scanned by an intermediary... i.e. HTTPS inspection must be turned off on content from Windows Update.

Client errors may manifest themselves as "error 0x80246003". According to the WSUS error table that corresponds to an unrecognized hash. I haven't completed my research yet but I'm guessing that the new endpoints will only honor update packages from MSFT using a new, stronger hash to raise security in the aftermath of the Flame malware.

Wednesday, October 17, 2012

As you may have noticed, WSUS can now be installed as a role service in Windows 2012. I'm using it successfully now with an "external" SQL server. If you plan on doing the same, note that when you install the role it will inform you that the Windows Internal Database feature is a prerequisite even though you don't intend on using it.

As you're going through install, feel free to un-check the Windows Internal Database feature. You'll get a chance to specify the SQL target during the configuration phase of the install and all should work right off the bat.

Wednesday, October 10, 2012

Microsoft Network Load Balancing can be difficult to setup reliably and there are a myriad of better options out there. With that enthusiastic endorsement, I'm writing this guide to walk you through (at a very high level) how to setup unicast clusters reliably.

Assumptions

2008r2 Servers (this should work down to 2k3 but there will be minor differences)

Both hosts are connected to the same switch or vSwitch

You can have at least two NICs per host

1 static IP address per NIC. (i.e. 2 per host)

1 IP for your clustered address

You really want to do this and don't have a better way to split network traffic

Example Network:

In this example, we use the following addresses. Substitute in yours where applicable.

HostA: 192.168.1.5, (IP For Cluster NIC) 192.168.1.6 (IP for Other)

HostB: 192.168.1.7, (IP For Cluster NIC) 192.168.1.8 (IP for Other)

ClusterIP: 192.168.1.22

Steps

Ensure each host has at least two NICs with the appropriate IPs configured. You *can* setup a unicast NLB cluster with one per host, but trust me you don't want to. (unless your app can't handle a multi-homed server)

(Do for each host) Navigate to the advanced TCP/IP settings->DNS tab of the adapter that will participate in the cluster and UNcheck the box "Register this connection's addresses in DNS"

Note: This will ensure that when the machine is looked up by its dedicated individual IP as opposed to the IP used by the cluster adapter which will share a MAC address with the other host.

Open the NLB Manager Administrative Tool and right click the root->New Cluster

Under Host, type the first host you wish to add, click connect, and then select the IP of the adapter that you removed from DNS a couple steps above and click "Next"

Set the priority and default state. Priority is this host's priority in the cluster where a lower number represents a higher priority, and default state represents the participation of this host in the cluster. If you're not sure, take the defaults of 1 and Started. Click "Next"

Click "Add" and put in your Cluster IP address. Click "Next"

On the next "Cluster Parameters" screen, put in the DNS alias you will use for the cluster IP under "Full Internet Name" and set "Cluster operation mode" to "Unicast". Click "Next".

Cluster Params

On the New Cluster: Port Rules you can accept the defaults unless you want to be explicit with your clustered ports. Click "Finish"

Quick note: MS NLB doesn't support automatic failover based on service status, I.E. if the host is responding to any network requests it is assumed to be up even though the service may have failed. That's why I chose to accept the default and host all services on the cluster IP and dedicate a NIC to the task. This has proven to be substantially more reliable. For security, ensure your firewall is active and configured correctly.

Right click the newly created cluster and click "Add host to cluster" and input the second host. Follow the same steps that we did above for this host and exit the wizard.

If you're using VMWare: perform the steps under "Configuring Unicast Mode" listed in this document. This disables the automatic MAC relocation on the vSwitches.

If desired, do a static DNS registration for the "full internet name" of the cluster.

That should do it. Remember that you will have to do fail-over manually in most circumstances.

Tuesday, October 2, 2012

As I'm sure you're aware, Microsoft recently announced the cancellation of Threat Management Gateway as well as Forefront Protection for Exchange & Sharepoint. This is disappointing news to many and I'm trying my best to avoid reading between the lines on this one.

That said, I found that on the fifth page of the comments the team posted a clarification post, which I'll quote here for reference:

Microsoft Server and Cloud Platform Team September 20th, 2012 2:32 PM

"We wanted to clarify some details around the discontinuation of Forefront TMG to help address many of the questions we’ve seen posted in the comments section.

First, it is important to note that while Forefront TMG is being discontinued, it will continue to be supported in mainstream support through April 14, 2015 and in extended support through April 14, 2020. When and how a customer transitions to a replacement solution will depend on how the customer is using TMG today. Customer use scenarios vary, but these general guidelines should help:

• For customers using TMG for caching, secure web gateway (forward proxy), and firewall, we recommend that, prior to April 14, 2020, customers examine the many vendor solutions available in market today that offer comparable features to the TMG product. Microsoft does not plan to transition this functionality to any other Microsoft products.

• For customers using TMG for reverse proxy, transitioning to Forefront UAG is an option. Most web publishing scenarios that are supported by TMG can be published by UAG, though specific functionality may not be identical. For customers who do not want to transition to Forefront UAG, customers should plan on transitioning to an alternative vendor solution prior to April 14, 2020.

• For customers using Forefront TMG Web Protection Services, we recommend that customers examine the many vendor solutions available in market today that offer comparable reputation services by Dec. 31, 2015. This product will no longer receive updates starting January 1, 2016.

We hope that these general guidelines provide additional clarity. Please continue to contact your Microsoft account teams or partner managers with any questions about your specific scenarios.